[webkit-changes] [WebKit/WebKit] 3353f1: [JSC] Enable Allocation Sinking for NewArrayWithCo...
Yijia Huang
noreply at github.com
Wed Feb 19 22:46:09 PST 2025
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 3353f1290c6aa2eebdd48c99c539a6a0858c8ab1
https://github.com/WebKit/WebKit/commit/3353f1290c6aa2eebdd48c99c539a6a0858c8ab1
Author: Yijia Huang <yijia_huang at apple.com>
Date: 2025-02-19 (Wed, 19 Feb 2025)
Changed paths:
M JSTests/microbenchmarks/loop-unrolling-4.js
A JSTests/microbenchmarks/loop-unrolling-5.js
A JSTests/stress/array-allocation-sink.js
M Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
M Source/JavaScriptCore/dfg/DFGClobberize.h
M Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp
M Source/JavaScriptCore/dfg/DFGDoesGC.cpp
M Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
M Source/JavaScriptCore/dfg/DFGInsertionSet.h
M Source/JavaScriptCore/dfg/DFGMayExit.cpp
M Source/JavaScriptCore/dfg/DFGNode.h
M Source/JavaScriptCore/dfg/DFGNodeType.h
M Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp
M Source/JavaScriptCore/dfg/DFGObjectMaterializationData.h
M Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp
M Source/JavaScriptCore/dfg/DFGPromotedHeapLocation.cpp
M Source/JavaScriptCore/dfg/DFGPromotedHeapLocation.h
M Source/JavaScriptCore/dfg/DFGSafeToExecute.h
M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h
M Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
M Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
M Source/JavaScriptCore/dfg/DFGStoreBarrierInsertionPhase.cpp
M Source/JavaScriptCore/dfg/DFGValidate.cpp
M Source/JavaScriptCore/ftl/FTLCapabilities.cpp
M Source/JavaScriptCore/ftl/FTLExitTimeObjectMaterialization.cpp
M Source/JavaScriptCore/ftl/FTLExitTimeObjectMaterialization.h
M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
M Source/JavaScriptCore/ftl/FTLOperations.cpp
M Source/JavaScriptCore/runtime/IndexingType.h
M Source/JavaScriptCore/runtime/OptionsList.h
Log Message:
-----------
[JSC] Enable Allocation Sinking for NewArrayWithConstantSize
https://bugs.webkit.org/show_bug.cgi?id=287731
rdar://144885784
Reviewed by Yusuke Suzuki.
This patch enables allocation sinking for NewArrayWithConstantSize, allowing
the DFG JIT to eliminate unnecessary array allocations when safe. This
optimization removes dead allocations and materializes them only if needed,
reducing memory overhead and improving execution efficiency. See the comments
in DFGObjectAllocationSinkingPhase.cpp for details.
Changes:
1. Introduced PhantomNewArrayWithConstantSize and MaterializeNewArrayWithConstantSize
nodes for sinking and materializing arrays.
2. Tracked array allocations and indexed properties using ArrayIndexedPropertyPLoc
and ArrayLengthPropertyPLoc.
3. Eliminated redundant bounds checks with removeCheckInBoundsIfNeeded.
4. Implemented JIT and FTL support for materializing sunken arrays.
5. Guarded sinking with isWatchingArrayPrototypeChainIsSaneWatchpoint, isInBounds,
and constant index access to ensure deoptimization safety.
6. Added Options::useArrayAllocationSinking for runtime control.
* JSTests/microbenchmarks/loop-unrolling-4.js:
(test):
* JSTests/microbenchmarks/loop-unrolling-5.js: Added.
(assert):
(test):
* JSTests/stress/array-allocation-sink.js: Added.
(assert):
(run):
(assert.test):
(run.test):
* Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* Source/JavaScriptCore/dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* Source/JavaScriptCore/dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* Source/JavaScriptCore/dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* Source/JavaScriptCore/dfg/DFGMayExit.cpp:
* Source/JavaScriptCore/dfg/DFGNode.h:
(JSC::DFG::Node::convertToPhantomNewArrayWithConstantSize):
(JSC::DFG::Node::hasNewArraySize):
(JSC::DFG::Node::newArraySize):
(JSC::DFG::Node::hasIndexingType):
(JSC::DFG::Node::hasObjectMaterializationData):
(JSC::DFG::Node::isPhantomAllocation):
* Source/JavaScriptCore/dfg/DFGNodeType.h:
* Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp:
* Source/JavaScriptCore/dfg/DFGObjectMaterializationData.h:
* Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp:
* Source/JavaScriptCore/dfg/DFGPromotedHeapLocation.cpp:
(WTF::printInternal):
* Source/JavaScriptCore/dfg/DFGPromotedHeapLocation.h:
* Source/JavaScriptCore/dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* Source/JavaScriptCore/dfg/DFGStoreBarrierInsertionPhase.cpp:
* Source/JavaScriptCore/dfg/DFGValidate.cpp:
* Source/JavaScriptCore/ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* Source/JavaScriptCore/ftl/FTLExitTimeObjectMaterialization.cpp:
(JSC::FTL::ExitTimeObjectMaterialization::ExitTimeObjectMaterialization):
* Source/JavaScriptCore/ftl/FTLExitTimeObjectMaterialization.h:
(JSC::FTL::ExitTimeObjectMaterialization::indexingType const):
(JSC::FTL::ExitTimeObjectMaterialization::size const):
* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithConstantSizeImpl):
(JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithConstantSize):
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
* Source/JavaScriptCore/ftl/FTLOperations.cpp:
(JSC::FTL::JSC_DEFINE_NOEXCEPT_JIT_OPERATION):
* Source/JavaScriptCore/runtime/IndexingType.h:
(JSC::isNewArrayWithConstantSizeIndexingType):
* Source/JavaScriptCore/runtime/OptionsList.h:
Canonical link: https://commits.webkit.org/290691@main
To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications
More information about the webkit-changes
mailing list